On 27 Mar 2013, at 19:20, Ben Stuyts wrote: > Hi Steve, > > On 26 mrt. 2013, at 17:54, Steven Morgan <smor...@sourcefire.com> wrote: > >> Ben, >> >> I am looking into this issue. In the meantime, can you get any effect from >> increasing the clamd.conf parameters ReadTimeout, CommandReadTimeout, >> SendBufTimeout, and SelfCheck? > > I have doubled them and will let clamdscan run tonight. I'll report the > results tomorrow.
Unfortunately, this did not have any effect. Same number of errors. What is odd is that these errors happen in quick succession. The scan started at 21h10, and it seemed to go ok for about 64 minutes: Thu Mar 28 20:49:25 2013 -> SelfCheck: Database status OK. Thu Mar 28 21:10:00 2013 -> SelfCheck: Database status OK. Thu Mar 28 21:30:00 2013 -> SelfCheck: Database status OK. Thu Mar 28 21:50:00 2013 -> SelfCheck: Database status OK. Thu Mar 28 22:10:00 2013 -> SelfCheck: Database status OK. Thu Mar 28 22:14:10 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:11 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:12 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:15 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:15 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:16 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:18 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:19 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:14:29 2013 -> Client disconnected while scanjob was active Thu Mar 28 22:34:04 2013 -> SelfCheck: Database status OK. Is there any way to log which files are being scanned at that moment? At 22:14:29 the scan was considered 'finished' with no errors: ----------- SCAN SUMMARY ----------- Infected files: 0 Time: 3868.837 sec (64 m 28 s) Should I increase the parameters even more? Ben > > Thanks, > Ben > > >> >> Steve >> >> On Mon, Mar 25, 2013 at 12:26 PM, Ben Stuyts <b...@altesco.nl> wrote: >> >>> Well, still no luck, same errors over the weekend. Anybody have any other >>> ideas? >>> >>> Thanks, >>> Ben >>> >>> On 22 mrt. 2013, at 18:43, Ben Stuyts <b...@altesco.nl> wrote: >>> >>>> >>>> On 22 mrt. 2013, at 18:29, David Raynor <dray...@sourcefire.com> wrote: >>>> >>>>> On Fri, Mar 22, 2013 at 1:11 PM, Ben Stuyts <b...@altesco.nl> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> I was using clamscan for daily scanning of our user's home directories, >>>>>> but it was getting too slow with scan times of up to 6 hours. Therefor >>> I'm >>>>>> testing clamdscan and using multiple threads to scan. (cmd line is >>>>>> /usr/local/bin/clamdscan -m --fdpass /home) >>>>>> >>>>>> I am getting the following error messages from clamd while scanning, >>> and >>>>>> it's missing a lot of files. If put the Eicar test file at various >>> spots >>>>>> and it's being missed by the scan. >>>>>> >>>>>> Thu Mar 21 22:00:01 2013 -> SelfCheck: Database status OK. >>>>>> Thu Mar 21 22:10:01 2013 -> SelfCheck: Database status OK. >>>>>> Thu Mar 21 22:13:48 2013 -> Client disconnected while scanjob was >>> active >>>>>> Thu Mar 21 22:13:48 2013 -> Client disconnected while scanjob was >>> active >>>>>> (repeat...) >>>>>> Thu Mar 21 22:14:06 2013 -> Client disconnected while scanjob was >>> active >>>>>> Thu Mar 21 22:17:29 2013 -> Reading databases from /var/db/clamav >>>>>> Thu Mar 21 22:17:36 2013 -> Database correctly reloaded (2019434 >>>>>> signatures) >>>>>> >>>>>> Output from clamdscan, no errors: >>>>>> >>>>>> ----------- SCAN SUMMARY ----------- >>>>>> Infected files: 0 >>>>>> Time: 3846.032 sec (64 m 6 s) >>>>>> >>>>>> This is on FreeBSD 7.4-stable, clamav-0.97.7 (clamav-0.97.6 had the >>> same >>>>>> problem). The home directories are all zfs based. clamd runs as user >>>>>> clamav, clamdscan as user root. >>>>>> >>>>>> What could be causing this? >>>>>> >>>>>> Kind regards, >>>>>> Ben >>>>>> >>>>>> _______________________________________________ >>>>>> Help us build a comprehensive ClamAV guide: visit >>> http://wiki.clamav.net >>>>>> http://www.clamav.net/support/ml >>>>>> >>>>> >>>>> Ben, >>>>> >>>>> The "Client disconnected while scanjob was active" lines can also show >>> up >>>>> when the scanning threads are being told to shutdown. Did freshclam run >>> and >>>>> update your signatures during this scan? >>>>> >>>>> Dave R. >>>>> >>>>> -- >>>>> --- >>>>> Dave Raynor >>>>> Sourcefire Vulnerability Research Team >>>>> dray...@sourcefire.com >>>>> _______________________________________________ >>>>> Help us build a comprehensive ClamAV guide: visit >>> http://wiki.clamav.net >>>>> http://www.clamav.net/support/ml >>>>> >>>> >>>> Yes it ran, but at the end at 22:17, not at 22:13 when the first errors >>> appeared. From freshclam.log: >>>> >>>> -------------------------------------- >>>> Received signal: wake up >>>> ClamAV update process started at Thu Mar 21 20:17:17 2013 >>>> >>>> ... and then the next entry: >>>> -------------------------------------- >>>> Received signal: wake up >>>> ClamAV update process started at Thu Mar 21 22:17:23 2013 >>>> main.cld is up to date (version: 54, sigs: 1044387, f-level: 60, >>> builder: sven) >>>> WARNING: getfile: daily-16881.cdiff not found on remote server (IP: >>> 217.19.16.188) >>>> WARNING: getpatch: Can't download daily-16881.cdiff from >>> database.clamav.net >>>> Downloading daily-16881.cdiff [100%] >>>> daily.cld updated (version: 16881, sigs: 980411, f-level: 63, builder: >>> guitar) >>>> bytecode.cld is up to date (version: 214, sigs: 41, f-level: 63, >>> builder: neo) >>>> Database updated (2024839 signatures) from database.clamav.net (IP: >>> 145.58.29.83) >>>> Clamd successfully notified about the update. >>>> >>>> ... and the next: >>>> -------------------------------------- >>>> Received signal: wake up >>>> ClamAV update process started at Fri Mar 22 00:17:29 2013 >>>> >>>> There were also a few incoming e-mails during that time which were >>> scanned via clamav-milter and clamd. Could that have an effect? >>>> >>>> Ben >>>> >>>> _______________________________________________ >>>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>>> http://www.clamav.net/support/ml >>>> >>> >>> _______________________________________________ >>> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >>> http://www.clamav.net/support/ml >>> >> _______________________________________________ >> Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net >> http://www.clamav.net/support/ml >> > > _______________________________________________ > Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net > http://www.clamav.net/support/ml > _______________________________________________ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
